Closed eahlberg closed 1 year ago
My first impression is that this is a bug in the metadata. Could you verify @infinisil
The relevant part of the metadata is:
"attestationCertificateKeyIdentifiers": [
"413486e96dbd403f9936dd65352a8dd5",
"0a426ee17afd16533b1cdfa95de1e920a6aedf3a"
],
Which is defined in the metadata specification as:
This value MUST be calculated according to method 1 for computing the keyIdentifier as defined in [RFC5280] section 4.2.1.2.
Referring to this section:
The keyIdentifier is composed of the 160-bit SHA-1 hash of the value of the BIT STRING subjectPublicKey (excluding the tag, length, and number of unused bits).
Which is it obviously is not.
@eahlberg We have reported the issue to the fido alliance, and are considering adding a (temporary) workaround, but that will be on @infinisil's plate.
Thank you for reporting the issue!
We'll keep this issue open until the metadata is well-formed or we merge a workaround.
I was just testing out the repo so no rush on implementing a fix or workaround from my part, but thanks for the quick response!
Alright, thanks for the issue though! I'd say let's wait for a response by the FIDO alliance before proceeding further. Wouldn't want to implement a workaround for somebody else's bug if we can avoid it.
We got a reply, the mistaken record has been corrected, and I can confirm that the demo server runs again :)
Cool, thanks!
When running the demo server with
./run.sh
, the following error is thrown. (I omitted the subject key identifier, if it's of relevance I'll bring it back.)The tests pass with the metadata from the repo (in
tests/golden-metadata
) but after updating the blobs using/bin/update-test-blob
, the following error is thrown:I'm on NixOS and use the recommended nix setup described in the README.